Re: [PATCH] crypto: clarify relationship of CONFIG_{BOOTM_FITIMAGE_PUBKEY,RSA_KEY}

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Jul 27, 2023 at 11:47:48AM +0200, Ahmad Fatoum wrote:
> CONFIG_RSA_KEY and CONFIG_BOOTM_FITIMAGE_PUBKEY can both point at the
> RSA public key, but with different formats. CONFIG_RSA_KEY is probably
> easier to integrate, so reference it from CONFIG_BOOTM_FITIMAGE_PUBKEY
> and be explicit about the different formatting.
> ---
>  common/Kconfig | 11 ++++++++---
>  crypto/Kconfig |  3 +++
>  2 files changed, 11 insertions(+), 3 deletions(-)

Applied, thanks

Sascha

> 
> diff --git a/common/Kconfig b/common/Kconfig
> index 3a57e16b3be6..0c7ba6a63685 100644
> --- a/common/Kconfig
> +++ b/common/Kconfig
> @@ -644,9 +644,10 @@ config BOOTM_FITIMAGE_PUBKEY_ENV
>  	bool "Specify path to public key in environment"
>  	depends on BOOTM_FITIMAGE_SIGNATURE
>  	help
> -	  If this option is enabled the path to the public key for verifying
> -	  FIT images signature is taken from environment which allows for
> -	  better integration with build systems.
> +	  If this option is enabled the path to the device tree snippet
> +	  containing the public key for verifying FIT images signature is taken
> +	  from make's build-time environment, which can allow for better
> +	  integration with some build systems.
>  
>  	  The environment variable has the same name as the corresponding
>  	  Kconfig variable:
> @@ -664,6 +665,10 @@ config BOOTM_FITIMAGE_PUBKEY
>  	  snippet can then be included in a device tree with
>  	  "#include CONFIG_BOOTM_FITIMAGE_PUBKEY".
>  
> +	  This snippet is usually generated by decompiling a device tree produced
> +	  by mkimage. An alternative is CONFIG_CRYPTO_RSA_KEY, which takes a PEM
> +	  file or a PKCS#11 URI.
> +
>  endif
>  
>  config BOOTM_FORCE_SIGNED_IMAGES
> diff --git a/crypto/Kconfig b/crypto/Kconfig
> index 629f615de1af..04e5ef43705b 100644
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> @@ -130,6 +130,9 @@ config CRYPTO_RSA_KEY
>  	  X.509 certificates to be included into barebox. If the string starts
>  	  with "pkcs11:" it is interpreted as a PKCS#11 URI rather than a file.
>  
> +	  This avoids the mkimage dependency of CONFIG_BOOTM_FITIMAGE_PUBKEY
> +	  at the cost of an openssl build-time dependency.
> +
>  config CRYPTO_RSA_KEY_NAME_HINT
>  	depends on CRYPTO_RSA
>  	string "FIT image key name hint"
> -- 
> 2.39.2
> 
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
[Index of Archives]     [Linux Embedded]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux